Comptroller finds lapses in Teachers’ Retirement info systems

A comptroller’s report says the Teachers’ Retirement System’s current Risk Estimate and Analysis document, which is dated 2009, lacks an inventory of the assets of the information systems and also lacks details on equipment, programs and data.

By John McPhaul

jpmcphaul@gmail.com

The Comptroller of Puerto Rico on Tuesday issued a qualified opinion on the operations of the Information Systems Office of the Teachers’ Retirement System.

The report reveals that the current Risk Estimate and Analysis document, which was produced in 2009, lacks an inventory of the assets of the information systems and lacks details of the equipment, programs and data of the Retirement System.

In addition, the risk analysis does not identify possible threats against information systems, a situation that makes it impossible to estimate the impact that the risk elements would have on the main areas and systems, the report said.

The audit of five findings indicates that the Technology Strategy document needs to be updated. As of Nov. 9, 2021, the document did not include applications implemented after 2009, mentions names of personnel who no longer work in the system, and defines an alternate center that no longer exists. The situation can lead to improvisation and a high risk of incurring excessive and unnecessary expenses, the report said.

The Teachers’ Retirement System does not keep backup copies of employee documents or internally developed applications in a secure off-site location, the report noted. As of May 11, 2021, the system also did not have an alternate center to restore its critical computerized operations in case of emergency.

The auditors found multiple deficiencies with the PeopleSoft finance application and with the administration and documentation of active access accounts in the Integrated Contributions and Benefits System (SABI).

Some situations of lack of control examined by the auditors are: the lack of documentary evidence and information on the authorizations necessary to create accounts and the granting of privileges to access accounts. In addition, permissions were found that did not correspond to the functions of their positions and current accounts and without deactivating former employees and volunteers with more than a year out of service.